The present invention relates generally to secure communications and, more particularly, to a method and device for secure Internet Protocol Security communications between network peer nodes.
IPSec (Internet Protocol Security) is one currently popular Internet protocol for ensuring secure communications between peer nodes. IPSec is a set of protocols defined by the Internet Engineering Taskforce that provides a security mechanism at the IP layer. IPSec processing involves encapsulation of outgoing packets and de-encapsulation of inbound packets. The so-called “Encapsulating Security Payload” (ESP) protocol provides confidentiality, data integrity, and data source authentication of IP packets. This requires the insertion of an ESP header after the IP header of an IP packet but in front of the data to be protected. An ESP trailer is inserted after the data to be protected. An ESP packet is identified by the protocol field in the IP header. In order to allow IPSec packets to be properly encapsulated and de-encapsulated, it is necessary to associate security services and a key between the traffic being transmitted and the remote node that is the intended recipient of the traffic. The construct used for this purpose is a “Security Association” (SA). A SA is a relationship between two or more nodes that describes how the nodes will use security services to communicate securely.
IPSec provides many options for performing network encryption and authentication. Each IPSec connection can provide encryption, integrity, authenticity, or all three. When the security service is determined, the two IPSec peers must determine exactly which algorithms to use (for example, Triple DES (3DES) for encryption, SHA-1 for integrity and authentication). After deciding on the algorithms, the two devices must share session keys. SAs (Security Associations) are negotiated between peer nodes using a mechanism known as “Internet Key Exchange” (IKE) or IKE version 2 (IKEv2) protocols, and are allocated an identification known as a “Security Parameter Index” (SPI). Details of the existing SAs and the respective SPIs are usually maintained in a Security Association Database (SAD) that is associated with each IPSec node. The precise way in which IPSec is implemented in a system depends to a large extent upon the security policy of the organization wishing to employ IPSec. The policy is stored in a Security Policy Database (SPD), which is also associated with each IPSec node.
IPSec SAs may terminate through deletion or by timing out. An SA can time out when a specified amount of time has elapsed or when a specified number of bytes have passed through the secure tunnel established by the IPSec process. When subsequent IPSec SAs are needed for a data flow, an IKEv2 procedure re-establishes the connection using a renewal process. In known IKEv2 renewal processes, renewal is done with the same combination of algorithms that were originally negotiated. Using the same combination of algorithms could constitute a weakness in the overall security of the process. It would be advantageous to provide a way of providing higher security processing for data transmission.